Voice over internet protocol (VoIP) service is becoming popular due to advanced telephony features provided by the VoIP service and its cost effectiveness. Session initiation protocol (SIP) is emerging as a de-facto standard for a signaling control protocol to establish a VoIP session. However, the SIP protocol is vulnerable against various SIP application attacks. The SIP application attacks may be classified as signature based attacks and non-signature based attacks. The signature based attacks exploit known vulnerability of the SIP protocol. Every signature based attack includes an attack signature that describes a pattern of a known security violation. For example, a SIP non-American standard code for information exchange (ASCII) attack is characterized by presence of non-ASCII characters within a ‘Call-ID’ header field of the SIP messages. The non-signature based attacks employ a sequence of legitimate and malignant SIP messages to create a partial or a full denial of service (DoS) condition. Besides DoS attacks, the legitimate malignant activities also include SIP brute-force attacks and scanning attacks that automatically send different types of SIP messages over a relatively short time. Through the scanning attacks, an attacker may expose information, such as, but not limited to, a SIP server's application information, user information, and registered users. This may lead to unauthorized use of resources of the SIP server, fraud, SPAM over internet telephony (SPIT), call redirection, and exploitation of known SIP vulnerabilities.
Many existing solutions for preventing SIP attacks analyze the SIP messages for detecting attack signatures of known signature based attacks to predict a possible attack. A major disadvantage with these solutions is their inability to prevent zero-day attacks. Furthermore, the signatures need to be updated to mitigate any new signature based attacks.
Some of the techniques to protect SIP servers against non-signature based attacks monitor SIP message traffic at various ports of a protected SIP server. These techniques predict an attack when an anomaly in the SIP message traffic is detected. To prevent the attack, an attacked port of the protected SIP server is disabled, thereby blocking any SIP message traffic through the attacked port. However, this leads to blocking of legitimate users as well.
Furthermore, one or more of the above-mentioned techniques need human intervention to decide whether an attack is in progress. This reduces response time against the attack and creates the partial or full DoS condition in an intervening interval.
Therefore, there is a need in the art for a protection scheme that provides protection against SIP attacks without a need for any human intervention or an update of the attack signatures while allowing SIP message traffic for legitimate users.